Back to home
AAT Systems

Privacy Policy

Last updated: April 27, 2026

1. Who we are

AAT Systems (the «Platform») is a product of AAT Systems LLC (Georgia). We provide a SaaS for automating business communications via Instagram, Facebook Messenger and WhatsApp Business.

Privacy contact: privacy@aatsyst.com

2. What data we collect

2.1. From Platform users (our customers)

  • Email, name, avatar (via Meta OAuth or Google OAuth at sign-up)
  • Payment data (via Stripe — we do not store card numbers)
  • Workspace settings, chosen plan, subscription history
  • Refresh tokens for connected integrations (Google Sheets, Anthropic, OpenAI) — encrypted with AES-256-GCM in our database
  • Action logs (for audit and support)

2.2. From customers' subscribers (End Users in Meta terms)

When a subscriber messages your bot on IG/FB/WA, we receive from Meta:

  • Page-Scoped User ID (PSID) / IG Business User ID / WhatsApp ID
  • Name and avatar (if allowed by subscriber settings)
  • Message contents (text, media URLs, button payloads)
  • Metadata: timestamp, message type, channel

We do not request a subscriber's phone, email or address without explicit consent (via a customer-side lead form).

3. Why we use it

  • Deliver messages to customers via Meta API within flows configured by our customer (data controller)
  • Store conversation history to display in our customer's Live Chat
  • Run AI blocks (Claude / OpenAI) to generate replies based on a knowledge base supplied by the customer
  • Billing (Stripe) and usage metrics (for plan limits)
  • Send system emails (sign-up confirmation, payment receipts)

We do not sell data to third parties and do not use it for advertising.

4. Who we share with

Sub-processors:

  • Meta Platforms — sending messages via Graph API / Cloud API
  • Anthropic / OpenAI — generating AI replies (only when the customer configured an AI Reply block); prompts are NOT used to train the models (Anthropic zero-retention API + OpenAI zero-retention)
  • Google — only if the customer connected the Google Sheets integration
  • Stripe — processing payments and subscriptions
  • Resend / Postmark — transactional email notifications
  • Vercel / Neon / Supabase — hosting and database (EU region)
  • Sentry / Datadog — error monitoring (no PII in logs)

5. Retention

  • Messages and contacts — while the customer's subscription is active + 30 days after cancellation
  • OAuth tokens — while the channel is connected; deleted immediately on disconnect
  • Logs and metrics — 90 days
  • Billing history — 7 years (tax law requirement)

6. Your rights (GDPR Articles 15-22)

You have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure («right to be forgotten») — request full deletion
  • Portability — receive your data in a machine-readable format (JSON)
  • Object — opt out of certain types of processing
  • Complaint to a regulator (for the EU — the relevant Datenschutzbehörde)

Send any of these requests to privacy@aatsyst.com — we'll respond within 30 days. For deletion you can also use /data-deletion.

7. Security

  • HTTPS-only traffic (TLS 1.3)
  • OAuth tokens are AES-256-GCM encrypted in the database
  • Webhook signatures are verified with HMAC-SHA256
  • Cookies: HttpOnly, Secure, SameSite=Lax
  • Production DB access only via VPN, audit log of all admin actions
  • Multi-tenant isolation at the SQL query level — one workspace's data is not visible to another

8. Cookies

We only use functional cookies:

  • aat-session — auth token (HttpOnly)
  • aat-theme — theme choice (light/dark)

No analytics or ad tracking. Details at /cookies.

9. Children

The Platform is not intended for children under 16. We do not knowingly collect data about such users. If we learn of any, we delete it immediately.

10. Policy changes

We notify you of material changes by email at least 30 days before they take effect. The last update date is shown at the top.